The draft guide, NIST Cloud Computing Synopsis and Recommendations (Special Publication 800-146), provides information for IT decision makers interested in moving into the cloud.
“Information security in the cloud is a real challenge”, said Lee Badger, an IT specialist with the NIST’s Computer Security Division and one of the authors of the publication.
“There are several factors to consider. One is that cloud systems, at least in some of their configurations, are outsourced system. Therefore, for one to have confidence that the system is treating your data with due care, one has to have confidence that the people who are running that system are exercising the care you think is appropriate”, Badger told Infosecurity.
“The importance of the boundaries that separate cloud users is high” in terms of security, Badger noted. Also, “you may not know geographically where your data is located. That might reduce confidence”, he said.
At the same time, the cloud places resources under a common administration; therefore, organizations that use the cloud can benefit from the security expertise of the cloud provider, he added.
In the publication, NIST recommends that organizations take a number of steps to ensure that their data is secure when they move to the cloud.
First, organizations should employ best practices for web browser security and patching and seek to minimize browser exposure to possibly malicious websites.
Second, organizations should require that strong encryption is used for web sessions whenever a rented application requires the confidentiality of application interactions with other applications or data transfers. Also, subscribers should require that the same diligence is applied to stored data.
Third, they should consider physical plant security practices and plans at provider sites as part of their overall risk considerations when selecting a provider. Cloud subscribers should write plans for recovery from physical attacks, investigate whether a provider offers redundancy, and opt for a provider that is not tied to a specific geographic location in case of natural disasters or other disruptions.
Fourth, organizations should consider the use of authentication tokens, which some providers offer, to mitigate the risk of account hijacking.
Fifth, they should have visibility into the authentication and access control mechanisms that the provider infrastructure supports, the tools that are available for cloud subscribers to provision authentication information, and the tools to input and maintain authorizations for subscriber users without the intervention of the provider.
Sixth, organizations should benchmark current performance scores for an application, and then establish key performance score requirements before deploying that application to a provider’s site. Key performance scores include responsiveness for interactive user applications, and bulk data transfer performance for applications that must input or output large quantities of data on an ongoing basis.
And finally, organizations should request that a provider allow visibility into the operating services that affect their data or operations on that data.
NIST is seeking industry comments on the draft guide to cloud computing. Comments should be sent to 800-146comments@nist.gov by June 13.